Srikandi - Malware canggih yang digelar Regin telah digunakan untuk mengintip kerajaan, operator infrastruktur dan sasaran berprofil tinggi lain, syarikat kese-lamatan Symantec telah mendedahkan. Ia juga disasarkan individu dan perniagaan swasta, terutamanya di Rusia.
Trojan memaparkan jenis-pintu belakang "tahap
kecekapan teknikal yang jarang2 dilihat," kata Symantec dlm satu
kenyataan akhbar. Kerumitan virus yg membo-lehkan penceroboh utk mewujudkan
rangka kerja bagi pengawasan besar-besaran.
Sasaran termasuk syarikat-syarikat swasta,
entiti kerajaan & pemikir penyelidikan. Serangan ke atas syarikat-syarikat
telekom telah dikatakan telah dijalankan untuk mendapatkan akses kepada
panggilan dihalakan melalui infrastruktur mereka.
Syarikat itu percaya bahawa Trojan telah mungkin
dibangunkan oleh ‘nation state’ kerana ia mengambil bulan, jika tidak tahun
untuk membangunkan suatu perisian dan menutup trek. Menganalisis keupayaan
selanjutnya syarikat itu telah menarik kesimpulan bahawa Regin boleh menjadi
salah satu utama alat pengintipan siber yang digunakan oleh ‘negara bangsa/nation
state’ yang terlibat.
Hampir satu 1/3 daripada jangkitan disahkan
ditemui di Rusia dengan 24 % peratus lagi di Arab Saudi. Mexico, Ireland,
India, Afghanistan, Iran, Belgium, Austria dan Pakistan juga dalam senarai.
"Regin adalah ancaman yg sangat kompleks
yg telah digunakan dlm pengumpulan data atau pengumpulan maklumat risikan
kempen sistematik. Pembangunan dan operasi malware ini akan memerlukan sumber &
masa yg lama, "kata Symantec.
Symantec mendapati virus itu telah digunakan
antara 2008 dan 2011, sebelum tiba-tiba ditarik balik sehingga versi baru
malware itu muncul kembali pada 2013 dan seterusnya.
Regin menggunakan pendekatan modular membenarkan
ia untuk memuatkan ciri muat sasaran thatexactly, membolehkan mengintip yang
disesuaikan. "Reka bentuk menjadikan ia sangat sesuai utk operasi
pemantauan jangka panjang yg berte-rusan, berbanding sasaran," syarikat
keselamatan itu berkata ‘says.’
Dan ianya 5 peringkat seni bina loading dengan
penyulitan khas dan tersembunyi di setiap peringkat menjadikannya serupa dengan
ancaman Duqu/Stuxnet, kata Symantec.
"Melaksanakan peringkat pertama bermula
rantai domino daripada penyahsulitan dan pemuatan setiap peringkat berikutnya
untuk sejumlah 5 peringkat. Setiap peringkat individu menyediakan sedikit
maklumat tentang pakej yang lengkap.
Hanya dengan memperoleh semua 5 peringkat adalah
mungkin untuk menganalisis dan memahami ancaman, "kenyataan akhbar yang
berbunyi. Tambahan pula Regin dilengkapi dgn beberapa ciri2 stealth
supaya walaupun selepas kehadiran Trojan ini dikesan, ia adalah "sangat
sukar untuk menentukan apa yang ia lakukan."
Para penyelidik mengatakan banyak komponen virus
itu kekal belum ditemui manakala ancaman fungsi tambahan dan versi masih boleh
wujud.
SOPHISTICATED ‘State-Sponsored’ SPYING tool targeted GOVTS, Infrastructure for YEARS . . .
A sophisticated malware dubbed Regin has been
used to spy on governments, infrastructure operators and other high-profile
targets, security company Symantec has revealed. It also targeted private
individuals and businesses, particularly in Russia.
A back door-type Trojan displays a “degree of
technical competence rarely seen,” Symantec said in a press release. The
complexity of the virus enabled the intruder to create a framework for mass
surveillance. Targets include private companies, government entities and
research think tanks. Attacks on telecoms companies were allegedly carried out
to gain access to calls being routed through their infras-tructure.
The company believes that the Trojan was likely
developed by a nation state as it took months, if not years to develop such a
piece of software and cover up its tracks. Analyzing its further capabilities
the company has drawn a conclusion that Regin could be one of the main cyber
espionage tools used by the implicated nation state.
Almost a third of the confirmed infections were
discovered in Russia with a further 24 percent in Saudi Arabia. Mexico,
Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan are also on
the list.
“Regin is a highly complex threat which has been
used in systematic data collection or intelligence gathering campaigns.
The
development and operation of this malware would have required a significant
investment of time and resources,” Symantec said.
Symantec found that the virus has been used
between 2008 and 2011, before being suddenly withdrawn until a new version of
the malware resurfaced from 2013 onwards.
Regin uses a modular approach allowing it to
load features thatexactly fit the target, enabling a customized spying. “Its
design makes it highly suited for persis-tent, long-term surveillance operations
against targets,” the security company says.
And it’s five-stage loading architecture with
special and hidden encryption at each stage makes it similar to Duqu/Stuxnet
threats, Symantec said. “Executing the first stage starts a domino chain of
decryption and loading of each subsequent stage for a total of five stages.
Each individual stage provides little information on the complete package. Only
by acquiring all five stages is it possible to analyze and understand the threat,”
the press release reads. Furthermore Regin is equipped with a number of stealth
features so that even after Trojan’s presence is detected, it is “very
difficult to ascertain what it is doing.”
Researchers say many components of the virus
remain undiscovered while the threat of additional functionality and versions
may still exist.
No comments:
Post a Comment